2455336 – (CVE-2026-31405) CVE-2026-31405 kernel: media: dvb-net: fix OOB access in ULE extension header tables

Bug 2455336 (CVE-2026-31405) - CVE-2026-31405 kernel: media: dvb-net: fix OOB access in ULE extension header tables

Summary: CVE-2026-31405 kernel: media: dvb-net: fix OOB access in ULE extension header...

Keywords:
Status:	NEW
Alias:	CVE-2026-31405
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-06 09:01 UTC by OSIDB Bzimport
Modified:	2026-04-06 11:43 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-06 09:01:36 UTC

In the Linux kernel, the following vulnerability has been resolved:

media: dvb-net: fix OOB access in ULE extension header tables

The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables
in handle_one_ule_extension() are declared with 255 elements (valid
indices 0-254), but the index htype is derived from network-controlled
data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When
htype equals 255, an out-of-bounds read occurs on the function pointer
table, and the OOB value may be called as a function pointer.

Add a bounds check on htype against the array size before either table
is accessed. Out-of-range values now cause the SNDU to be discarded.

Comment 1 Keith Grant 2026-04-06 11:41:48 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026040603-CVE-2026-31405-8cfb@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.